I used to think the only one way to update a user password is through WordPress’ interface.
But there are situations where you may be logged out of the system and, say, the site was hacked and you’re unable to update/reset the password through the traditional methods.
Since WordPress is a database driven application, and the user account information is stored in the WordPress table name wp_users (or whatever table prefix you’ve used), you can update the password directly in the database, if you do what I’ll show you below…
How WordPress Stores Passwords
User passwords are stored in the WordPress database in a MD5-encrypted string. This is a more secure way of storing sensitive information than plain text but when you are in a time crunch, it can be frustrating.
MD5 is designed for one-way encryption which means that you can encrypt new passwords but you will not be able to decrypt existing passwords. This is why if you lose your password, you need to reset it rather than have WordPress email your password to you.
Before we get into how to properly update the password, a brief overview is in order.
The WordPress database consists of many tables to store posts, links, comments, users etc. These tables have, by standard default names like wp_users, wp_options, wp_posts, etc. See below.
Most of the time, the user password is stored in the wp_users table.
But, if you are like me, and like to tighten up your WordPress security by eschewing the default WordPress table prefix and change it from “wp_” to something random and unique like “ka86cNpxT_”, just look for the table that ends in “_users”. That is probably the table you want.
Updating Encrypted Passwords
So, in the default WordPress database example here, I am using phpMyAdmin to navigate to the wp_users table
If you click on the “Browse” link, you will see a list of all the users.
In this case, there is only one user. And you’ll notice that the password is stored in the column named “user_pass”.
Notice the long string of random-looking text?
That’s the MD5-encrypted version of the password which, for the sake of this article, happens to be “password”; obviously you would NEVER use that are your password. 🙂
So to change the password but retain the encryption, simply click on the “Edit” link on the far left or the row.
This opens the table row editor and, normally when you change an entry in a database you can simply type in the new information but if you just do that for the password it won’t be encrypted and WordPress will think it is and you won’t be able to log in
To overcome that, simply go to user_pass row, select “MD5” under the “function” column and now you can type in the password in plain text.
When you save the row’s information, the MD5 encryption kicks in and encrypts the password.
Viola! You can now log in with the password you just entered.
One Final Thing
There is one caveat that only happens every now and then. Sometimes the password update doesn’t appear to take effect.
Most likely it is a caching issue and spending couple of minutes (or maybe an hour) away from your computer will solve the problem. You could also try clearing any caches.
Of course, you also may have mistyped the password so you can try that also.